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Abstract 

McLean's notion of Selective Interleaving Functions (SIFs) is perhaps the best- 
known attempt to construct a framework for expressing various security properties. 
We examine the expressive power of SIFs carefully. We show that SIFs cannot cap- 
ture nondeducibility on strategies (NOff). We also prove that the set of security 
properties expressed with SIFs is not closed under conjunction, from which it fol- 
lows that separability is strictly stronger than double generalized noninterference. 
However, we show that if we generalize the notion of SIF in a natural way, then 
NOS is expressible, and the set of security properties expressible by generalized 
SIFs is closed under conjunction. 



1 Introduction 

Trying to formalize what it means for a system to be secure is a far from trivial task. 
Many definitions of security have been proposed, using quite different formalisms. One 
intuition that many of these definitions have tried to capture is that a system is secure if 
no information flows from a higher-level user to a lower-level user [Goguen and Meseguer 
1982]. (From here on in, we just call these users high and low, respectively.) This 
intuition, in turn, is captured by saying that, given their local observations, low users 
cannot rule out any possible behavior of high users. But even this intuition can be 
formalized in a number of ways, depending on what we understand by "high behavior" 
and on what kind of information we specifically want to protect. 

Many current approaches to defining security (for example, [McLean 1990; McLean 
1994; Wittbold and Johnson 1990; McCuUough 1987]) assume that high and low users 
send input values to the system, which responds with output values. The "system" is 
then modeled as a set of sequences {traces) of low/high input and output values. Various 
definitions of security then impose conditions on the set of possible traces. 

The following are some of the best-known definitions from the literature: 
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• Separability (abbreviated SEP) [McLean 1994] is one of the most restrictive def- 
initions. It rcqnircs that the system can be viewed as being composed of two 
independent subsystems, corresponding to the low and high users: every possible 
trace generated by the low user is compatible with every trace produced by the high 
user. While a separable system is certainly secure under any reasonable definition 
of security, it is unreahstic to expect systems to be separable in practice. Moreover, 
not all interactions between high and low users may be seen as a breach in the sys- 
tem's security. After all, the main motivation behind theories of information flow 
is to understand which types of such interactions are admissible. 

• We can slightly relax separability by requiring only that the low activity be in- 
dependent of the sequence of high inputs. The new property is called generalized 
noninterference (GNI) [McCuUough 1987]. 

• Traces are not generated at random. They usually come as a result of strategies: 
rules that stipulate the next input based on the history of input-output values. 
It has been argued that security really involves the low user not finding out any- 
thing about the high user's strategy. This notion is captured by nondeducihility on 
strategies (NOS) [Wittbold and Johnson 1990]. 

Given all these different notions of security, it is helpful to have a single unified 
framework in which to express them and compare their relative strengths. One attempt 
to do so was suggested by McLean [1990, 1994]. McLean observed that most of the above 
security properties may be expressed as closure conditions on systems (e.g. on sets of 
traces): a system satisfies a given security property if for every pair of traces in the system 
there is a trace in the system satisfying certain properties. This intuition is formalized 
by associating to a security property a set F of functions from pairs of traces to traces; 
such a mapping from pairs of traces to traces is called a selective interleaving function 
(SIF). A system E is said to satisfy a security property if it is closed under the associated 
set F of SIFs, i.e., for all (7i, (72 G S there is some f & F such that /(cxi, (J2) G S. 

McLean focuses on some particularly natural sets of SIFs that he calls types. To 
understand the notion of a type, we need to look more carefully at the structure of 
traces. Traces are assumed to be sequences of tuples of the form (high input, low input, 
high output, low output). A type consists of all SIFs that, given two traces as arguments, 
combine some components from the first trace with some components from the second 
and that satisfy certain restrictions (for example, combining the high input from the first 
trace and the low output from the second trace). 

McLean shows that a number of security properties, including SEP and GNI, can be 
represented by types in the sense that there exists a type T such that a system E has 
security property S if and only if E is closed under type T. He thus suggests that types 
provide a reasonable framework in which to examine security properties. Zakinthinos 
and Lee [1997] point out that, in their system model (which is slightly different from that 
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used by McLean — see Section 5), there are security properties that cannot be expressed 
in terms of closure under types. In this paper, we examine this question more carefully. 

We show that NOS can not be represented by types. We also show that another natu- 
ral property that we call double generalized noninterference (DGNI) cannot be expressed 
either. DGNI requires both that low activity is independent of the high inputs and that 
high activity is independent of the low inputs. The counterexample for DGNI actually 
proves the more general result that security properties expressible by types are not closed 
under conjunction. More precisely, there are types Ti and T2 such that for no type T is 
it the case that a system is closed under both Ti and T2 if and only if it is closed under 
T. 

These negative results are proved under the assumption that the only sets of SIFs 
are types. If we allow more general sets of SIFs, these results no longer hold. NOS and 
DGNI are all expressible; moreover, in the more general setting, wc have closure under 
conjunction. However, considering closure under arbitrary sets of SIFs is arguably not 
the most natural setting in which to examine security properties. Moreover, it is far from 
clear that even this setting is as expressive as we would hke. 

The rest of the paper is organized as follows. Section 2 reviews the formal definitions of 
the security properties discussed above and McLean's SIF framework. Section 3 contains 
the negative results of the paper. It shows that NOS and DGNI can not be represented 
by types. Section 4 shows that these negative results do not hold if we consider closure 
under sets of SIFs more general than types. In fact, under the assumption that the set 
of traces is countable, this framework captures all security properties. Section 5 relates 
our results to those of Zakinthinos and Lee [1997]. We conclude in Section 6 with some 
discussion of the general issue of representing security properties. 

2 Security Properties and SIFs: A Review 

Notation: Following McLean [1994], a trace o" is a sequence of tuples of the form (high 
input, low input, high output, low output). We assume that we are given a set S* of 
traces (which McLean [1994] calls the trace space). Intuitively, S* is the set of all possible 
traces. 

Definition 2.1: A system E (in E*) is a subset of E*. | 

Intuitively, E is a collection of traces generated according to some protocol or protocols. 
McLean implicitly assumes that traces are infinite. We allow traces to be finite or infinite 
(although we could equally well restrict to sets E* that have just finite or just infinite 
traces). Note that, because of the form of traces, the system is synchronous. 
Let 2^* be the power set of E*. 

Definition 2.2: A security property S (on E*) is a predicate on 2^*; that is, a security 
property is a set of systems in E*. | 
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Intuitively, S picks out some systems in E* as the "good" systems, the ones that 
satisfy the property. Wc may not want to allow an arbitrary set of systems to be a 
security property. However, we have not come up yet with any reasonable restrictions 
on the sets of systems that count as security properties. Interestingly, Zakinthinos and 
Lee [1997] do put a restriction on what counts as a security property. We discuss their 
restriction in Section 5 and argue that it is not particularly well motivated. Note that our 
negative results consider specific sets of systems that correspond to security properties 
that have already been considered in the literature, so they should satisfy any reasonable 
restrictions we may want to place on the definition. 

Definition 2.3: Given a trace a, we denote by a\i the low view of a, the sequence 
consisting of (low input, low output) projection. We similarly denote by a\H the high 
view of a, and by a\Hi the sequence consisting just of the high inputs. | 

We can now formalize the notions of security discussed in the Introduction. 

Separability As mentioned before, SEP is a strong security requirement that the low 
and high events be independent, meaning that any low view of a trace should be com- 
patible with any high view of a trace. Formally, a system E satisfies SEP if 

V(Ti,(72eE, 3(J e E ((7|i = (7i|i A (7|i7 = (72|ij). 

Thus, if E satisfies SEP, then we can combine the low view of one trace in E and the 
high view of another trace in E to obtain a trace in E. Notice that SEP is a closure 
condition on the set of traces, since for every pair of traces in E, there is a trace in E 
with a specific property (namely, the same low view as the first trace, and the same high 
view as the second trace). 

GNI and DGNI GNI is a weakening of SEP. A system E satisfies GNI if the low view 
of one trace is compatible with the high input view of any other trace; that is, 

V(7i, (72 e E 3(7 e E (a\L = (7i|l a a\HI = (72|i?/). 

As SEP, GNI is a closure condition on the set of traces. Notice that, unlike SEP, GNI 
places no constraints on the high output sequence in a. 
A system E satisfies reverse GNI (RGNI) if, 

V(7i, (72 e E 3(7 e E {a\H ^ (Ti\h a a\LI = (72|l/). 
Again, RGNI is a closure condition on the set of traces. 

A system E satisfies double GNI (DGNI) if it satisfies both GNI and reverse GNI. 
Unlike the above properties, DGNI is not a closure condition on the set of traces; it is 
the conjunction of two such closure conditions. 

Clearly SEP implies GNI and DGNI: given ai and (T2, the trace a guaranteed to exist 
by SEP satisfies all the properties required for GNI and DGNI. However, as we shall see, 
the converse does not hold in general. 



4 



Nondeducibility on strategies Wittbold and Johnson [1990] pointed out that in 

security it is often necessary to take into account the strategies being used by low and 
high to generate the traces. A protocol for user u determines the input that u provides 
to the system as a function of m's previous input and output values. A protocol for the 
system determines the high and low output values as a function of previous high and low 
inputs and outputs and the current high and low inputs. 

Protocols can be nondeterministic or probabilistic. In this paper we do not consider 
probabilistic protocols, since the security conditions we consider are possibilistic (that is, 
they make no mention of probabilities). For the purposes of this discussion, assume that 
the low user is following a fixed protocol Pl and the system is following a fixed protocol 
Ps- Let v.* be the set of all possible high protocols. If if e let E^j be the set of 
traces generated by running (P5, Pj,, H). liH QH*, then define = Unen'^H- (Note 
that this is not necessarily a disjoint union.) Let <S>^* consist of all systems of the form 
En for some HCH*. 

With this background, we can define NOS. The system E>^ satisfies NOS if 

eEn^H en 3a" e E^^ (a"\L = (7|l). 

Thus, for every trace a e E-^ and every high strategy H e 7i, there must be a trace 
a" e E-^ where the high user runs H and the low user's view is the same as in a. Note 
that NOS is defined only for systems of the form E-^. 

For the definition above to make sense, it must be the case that two sets H and H' 
of protocols generate the same set of traces, i.e., if E^^ = E^^/, then E-^ satisfies NOS if 
and only if E^/ satisfies NOS. One way to ensure this is by focusing on sets of strategies 
7i* such that there is an injective mapping from H to E>^; in other words, if H and 7i' 
are distinct subsets of H*, then we have E^ 7^ E^'- This is equivalent to requiring that 
for any protocol H e H* and subset HCH* such that H ^ H, we have T,h — ^■ 
To see why this the case, suppose first that if 7i 7^ H', then E^^ 7^ E^^/. Let HCH* and 
H G H* such that H ^ H. Then we can simply take H' = {H} U H and since H' 7^ H, 
we can apply the hypothesis and deduce that E>^/ 7^ Et^, or equivalently, E// UE-^ 7^ E^. 
This means that Ej^ — E>^ 7^ 0. For the converse, suppose that E^^ — E>^ 7^ for all H 
and H such that H ^ H. Let H and H' be two distinct subsets of H*; since H 7^ H', 
either H — H' ^ or H' — H ^ ^. Without loss of generality, we can assume that we are 
in the first case, and let H he a strategy in — H' . By assumption, E// — E^^/ 7^ 0. Since 
H e H, it follows that Eh Q E-^, and so E-^ — E-^^ 7^ 0; in particular, E-^ 7^ E^'- In 
short, for the definition of NOS to make sense, it suffices to assume that for any strategy 
H and set H such that H ^ H, there is a trace generated by H that is not generated 
by any protocol in H. For the rest of the paper, we make this assumption when dealing 
with NOS. 

It is interesting to notice that NOS is not a closure condition on the set of traces, which 
suggests a different nature of NOS from SEP or GNI; this intuition will be formalized in 
Theorem 3.1. 
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These security properties are related. 

Proposition 2.4: Let T, be a system and let 7i C.7i*. 

(a) IfE satisfies SEP, then it satisfies DGNI. 

(h) IfT, satisfies DGNI, then it satisfies GNI. 

(c) If E-^ satisfies SEP, then it satisfies NOS. 

Proof: Parts (a) and (b) are almost immediate from the definitions. For part (c), suppose 
that system S^^ satisfies SEP, a G and H E Ti. Choose G Hh- (There must 
always be at least one trace generated by running [Ps, Pl, H), so Hh 7^ 0-) By SEP, there 
exists some a' G such that a'\L = (t\l and (7'\h — '7^\h- Since the inputs determined 
by H at time A; + 1 depend only on the sequence of if's input and output values up to 
and including time k, it immediately follows that a' G Tih- Thus, E-^ satisfies NOS. | 

The converses to (a), (b), and (c) do not hold in general, as the following examples 
show. 

Example 2.5: Let Y^dgni consist of the 15 traces of the form (As usual, wc use the 
notation (xi, a;2, 2:3, 2:4)'^ to denote the trace where (a;i, 2:2, 2:3, a;4) repeats forever.) It is 
easy to see that this system does not satisfy SEP (for example, (0, 0, 0, 0)'^ and (1, 1, 1, 1)'^ 
are in Ti^gni-, but (1, 0, 1, 0)^ is not), but does satisfy DGNI. | 

Example 2.6: Consider the system T^gni = Wi, 0-2,(^^,(7 a\-i where ai = (1,0,1,0)'^, 
CT2 = (1,1, 0, 1)"^, CT3 = (0, 0, 0, 0)'^, and = (0, 1, 1, 1)'^. It is easy to check that S^jv/ 
satisfies GNI, but it does not satisfy DGNI, since there is no trace a G T^gni such that 
c^Ih = cr^ln and a\Li = (^sIli- I 

Example 2.7: Let H* consist of one protocol H; according to H, the high user first 
inputs and then, at each step, inputs the previous low input value. Let P^'s protocol 
be such that, initially, the low user nondeterministically chooses either or 1, and then 
inputs that value at every step. Finally, let the system protocol be such that the low 
output and high output agree with the low input. The system Ejvos generated by this 
protocol consists of two traces: (0, 1, 1, 1)(1, 1, 1, 1)*^ and (0, 0, 0, 0)'^. Since TC* consists 
of only one protocol, Ejvo5 trivially satisfies NOS. It is also immediate that Ejvos does 
not satisfy SEP, since (0, 1, 0, l)'^ is not in T^nos- I 

One common trait of the majority of the above security properties is their correspon- 
dence to closure conditions on sets of traces (e.g. on systems): a system E satisfies a 
security property if some closure condition on E holds. One way to formalize this ap- 
proach is to associate to each security property a set F of functions from pairs of traces 
to traces. 
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Definition 2.8: A SIF (on E*) is a partial function / : E* x E* ^ E*. That is, a SIF 
takes two traces and (if defined) returns a trace. | 

Our notion of SIF slightly extends McLean's by allowing partial functions; this is conve- 
nient for the positive results in Section 4. 

Definition 2.9: A system E is closed under a set F of SIFs if, for all ai,a2 € E, there 
exists some f & F such that (/(cti, (J2) is defined and) /(ui, (72) G E.^ | 

Of particular interest are certain sets of SIFs called types."^ 

Definition 2.10: A SIF / has type {{in^ : in^), {out^ : out^)), where in^ , in^, out^ , out^ e 
{0, 1, 2}, if / is total and — f{ai, a^i) satisfies the following constraints: 

• If in^ — 1, then a-i\m — the high inputs of /((Ti, (T2) is the same as the high 
input of a\. 

• If in^ — 2, then a-i\m — c"2|h7: the high inputs of /(cxi, 02) is the same as the high 
input of (J2. 

• If ivF = 0, then there are no constraints on aslni- 

There are 9 other similar clauses, depending on the value of the other components in the 
tuple. I 

Thus, for example, if / has type ((1 : 2), (0 : 2)) and /(cri,(T2) = r, then r e E*, 
t\hi — ctiIhi (the high input views of r and ai are identical), t\u — (J2|l/ (the low input 
views of T and (T2 are identical), there is no restriction on the high output view r\HO of 
T, and t\lo ~ o'2\lo (the low output views of r and a2 arc identical). 

Let T(^{ii,i2),iji.j2)) consist of all SIFs of type {{ii, ^2), (ji, : J2))- Note that if none of ii, 
12 or j2 is 0, then T((j^^j2)^(jj:j2)) is a singleton set. 

If there is a single high user and a single low user (as we have been assuming here) 
there are 81 possible types. (Not all these types are distinct, as we shall see.) Since a 
type is just a set of SIFs, it makes sense to talk about a system being closed under a 
ty])e. using our earlier definition. 

■"^We remark that McLean [1994] actually does not make it clear if the choice of / can depend on the 
pair of traces, although it seems that it can. In any case, in our positive results, we show that can take 
the / to depend only on the system, not the traces. Indeed, in the framework of Section 4, the two 
choices lead to equivalent definitions. 

^We remark that McLean [1994] occasionally interchanges the terms function and type. For example, 
when he says that a system is closed under a function, what is meant is that the system is actually 
closed under the type of the function (that is, under the set of functions of a particular type). We have 
tried to be careful in our usage here. 
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Definition 2.11: Let S' be a set of systems (i.e., subsets of S*) and let 5 be a security 

property. (Recall that a security property is also a set of systems.) A type T S' -represents 
a security property S with respect to S' if, for all systems E e 5', E e 5 if and only if 
E is closed under type T. | 

The reason that we allow the generality of representation with respect to a set S' of 
systems is that, in the case of NOS, we are interested only in systems in Sn* (that is, 
systems of the form E>^ for some Ti. C Ti*). Let S* denote the set of all subsets of E*. 
McLean shows that SEP and GNI can both be represented by types. 

Proposition 2.12: [McLean 1994] 

(a) SEP is S* -represented by the type T^(i:2),(i:2)> • 

(b) GNI is S* -represented by the type T(^(i:2),{0:2))- 

McLean [1994] also shows that other security properties, such as noninference [O'Halloran 
1990], generalized noninference [McLean 1994], and noninterference [Goguen and Meseguer 
1982], are represented by types. 

3 Types are Insufficiently Expressive 

Although McLean did show that a number of security properties of interest can be repre- 
sented by types, given that there are only 81 types, it is perhaps not surprising that there 
should be some interesting security properties that are not representable by any type. 
In this section, we prove the two negative results discussed in the introduction: that 
neither NOS nor DGNI are representable by types, and that the properties representable 
by types are not closed under conjunction. We also show that the properties represented 
by types are not closed under disjunction either. 

Theorem 3.1: NOS is not S-}^* -representable by a type. 

Theorem 3.2: DGNI is not S* -representable by a type. 

Since there are only 3^ = 81 possible types, we can prove both Theorem 3.1 and 3.2 
by checking each of these types. We make a number of observations that allow us to 
significantly reduce the number of types that need to be checked, making it a manageable 
problem. We leave details to the appendix. 

Theorem 3.2 is actually an instance of a more general result. 

Definition 3.3: A set V of security properties is closed under conjunction if Si,S2 G V 
implies that Si H S2 E V. Similarly, V is closed under disjunction if for all 81,82 € V 
imphes that SiU S2 & V. I 
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Closure under conjunction seems like a natural requirement for security properties. We 

may be interested in systems that satisfy both security property Si and security property 
1S2. Closure under disjunction may also be of interest; that is, we may investigate a system 
that satisfies either one of properties Si or ^2. 

Corollary 3.4: The set of security properties representable by types is not closed under 
conjunction. 

Proof: GNl and reverse GNl arc representable by types, but the security property 
resulting from their conjunction (DGNl) is not representable by types. I 

Theorem 3.5: The set of security properties representable by types is not closed under 
disjunction. 

Proof: See the appendix. | 



4 Representation by SIFs 

The definition of closure under a set F of SIFs makes sense for arbitrary sets F, not just 
for types. Thus, just as for types, we can say that a set F of SIFs S' -represents a security 
property S if, for all systems E e 5', E e 5 if and only if E is closed under F. In this 
section we show that, if we consider arbitrary sets of SIFs rather than types, the negative 
results of the previous section no longer hold. More specifically, we prove that NOS 
is representable by SIFs and that the set of security properties representable by SIFs 
is closed under conjunction and disjunction. Furthermore, under certain assumptions 
(that are satisfied by most systems of interest), we show that every security property can 
be represented by SIFs. However, the representation is rather convoluted, and requires 
understanding what set of systems satisfy the property. This negates the whole point of 
using the approach to describe properties. If we already know what systems satisfy the 
security property, we can just work with that set directly. However, we show that a more 
uniform way of representing security properties can be obtain by allowing generalized 
SIFs that associate with each pair of traces a set of traces. 

We start by showing that NOS is representable by SIFs. 
Theorem 4.1: NOS is Sh* -representable by SIFs. 

Proof: We must find a set F of SIFs such that a system E e .S-^* satisfies NOS if and 
only if it closed under F. Given a protocol H ^ 7i* and a trace a G T,h, let fH,a{o'i, C2) 
be the trace a if a\L — (7i\l and (72 G Eij, and undefined, otherwise. (Recall that we 
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allow partial functions.)^ Let F be the set of all such functions. It is easy to show that 
if satisfies NOS, then it is closed under F . Now suppose that S-?^ is closed under F. 
Given a G S-^ and H ^ Ti, as we mentioned earlier, by our assumption that ^ S^^/ 
for any 7i' (in particular, for H' = Ti — {H}), there must be a trace generated by 
H that is not generated by any other protocol in H. Since is closed under J^, there 
is a function fH',a' in F, such that fH',a'i(^,(^^) £ ^w- Then fH',a'{c,cr^) — ^' i a-nd 
<^'|l = o'Il, cr' £ Sh- By definition of ci^, it must be the case that H' — H, so a' e E^j 
and a'\L — Thus, E^^ satisfies NOS. | 

The following result is also easy to see. 

Proposition 4.2: The security properties S* -representable by SIFs is closed under dis- 
junction. 

Proof: Suppose that Si is represented by Fi and ^2 is represented by F2. Then Si U ^2 
is represented by Fi U F2. I 

These results show that allowing arbitrary SIFs gives much more expressive power 
than just considering types. Exactly how expressive are they? As we now show, they 
are quite expressive: if E* is countable, then every security property is representable by 
SIFs. This already means that for many systems of interest, all security properties are 
expressible with SIFs. For example, if the underlying protocols being represented by E* 
all terminate, and there are only countably many of them, then E* will be countable. 
But if we allow nonterminating protocols that, for example, nondeterministically output 
either or 1 at every step, then the set of traces will be uncountable. However, we can 
extend the result to uncountable sets, provided that they are not "unreasonable" . 

Say that a set S' of systems is countably generated if for all E G S', there exists a 
countable set Ec of traces in E such that if E' G S' and E' C E, then there is a trace 
a e T,c — E'. Clearly if E* is countable, then any security property on E* is countably 
generated. (Just take Eg = E.) But the notion of countable generation also apphes to 
interesting possible uncountable systems. Given a trace a, let (Ji:„ be the prefix of a of 
length n; if a is finite and has length less than n, then (Ti.„ = a. A set E C E* of traces 
is limit closed [Emerson 1983] if for every a G E* and for all n G A^ such that there 
exists cr' G E with (Ji:„ = cr^.^, it is the case that cr G E. Intuitively, E is limit closed if, 
whenever it contains every prefix of a trace a, it also contains a. 

Lemma 4.3: If S' consists only of limit-closed sets of traces, and the set of possible 
inputs and outputs is countable, then S' is countably generated. 

•^If we restrict to systems E* and sets Ti* such that there is some trace (Jq ^ \JHen*'^H, then S-h* is 
representable by total SIFs. The proof is essentially the same as that given for Theorem 4.1, but rather 
than taking f{(J\,a2) to be undefined in the proof, we take f{<T\, (J2) = (Jo- It is then a matter of taste 
whether it is more reasonable to consider partial SIFs or to assume that there are traces that cannot be 
generated by any protocol. 
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Proof: Given E, let A consist of all the prefixes of traces in E. Since the set of all 

inputs and outputs is countable, A must be a countable set. Let Ej be a subset of E 
such that for each prefix r of length n in A, there exists a trace o" G Ej such that (j^ = r. 
Clearly we can take E/ to be countable. Now let E' C E be such that E' G S', and let 
A' consist of all prefixes of traces in E'. li A — A', then an easy argument shows that, 
by limit closure, we must have E = E'. Thus, there must be some prefix r in A with no 
extension in E'. By construction of Ey, there is some trace a extending r in Ej. Clearly, 
(JG E/-E'. I 

Limit closure is a natural condition that arises frequently in practice. In particular, 
Ej/ is limit closed. Thus, S-j-i* is countably generated, even if the set of traces in H-j-i* 
is uncountable. In light of this, a good case can be made that we are interested in 
^'-represent ability only for sets S' that are countably generated. 

Theorem 4.4: IfS' is countably generated, then all security property are S' -representahle 
by SIFs. 

Proof: Suppose that E G S'. We show that there exists a SIF such that E is the only 
set in S' that is closed under /s. It follows that the security property S is 5'-representable 
by the set of SIFs {/s : E G 5}. 

Since E is in S' and S' is countably generated, there is a countable subset Ec of E 
with the properties from the definition. We take /s(c, cr') to be undefined if at least one 
of a and a' is not in E. If both a and a' are in E, but only one of them is in E^, then we 
take 0"') to be exactly the trace in E^. If none of the traces is in E^., then choose 

some trace cTc in Eg and let it be equal to /s(cr, a'). There is one case left: both traces a 
and cr' are in Ep. 

Since Ec is countable, it is either finite or countably infinite. If it is infinite, then 
without loss of generality it has the form {ak\k G Z}. Then a = ai and a' = (Tj for some 
i and j. Let f-E{(Ji,crj) = (Tj+i if j even, and crj_i if j odd. It is easy to see that E is 
closed under /s. Suppose now that E' in S' is closed under /s too. Then it must be the 
case that E' C E. Suppose that E ^ E'. By definition, there is some trace in Eg that 
is not in E'. Thus, there is some i such that CTj G E', but at least one of ai-i or cTj+i is 
not in E'. Suppose that crj_i ^ E'. If i is odd, then cxi-i = fsidi, (Ji), and since E' closed 
under /s and o"j G E', then (Tj_i must be in E', which contradicts our supposition. If i 
is even, then = o'i+i, so ai^i must be in E', and so /^(ci! = is also 

in E', which is again a contradiction. The argument if G E', but aj+i ^ E' is similar, 
and left to the reader. 

If Ec if finite, then we can write it as {ai, . . . , (7^} for some k. The proof is essentially 
the same, except that i + 1 or i — 1 are now modulo k. | 

Although Theorem 4.4 shows that essentially every security property can be repre- 
sented by SIFs, the representation is not terribly interesting. The proof requires one 
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to work backwards from an explicit representation of the security property as a set of 
systems to the SIF. To the extent that SIFs arc going to be a useful tool for representing 
security properties, then there should be a more uniform way of representing security 
properties. For example, the representation of GNI or even NOS is essentially the same, 
independent of E*. We do not know if there is a uniform way of representing, say, DGNI 
using SIFs, although it follows from Theorem 4.4 that it can be represented in essentially 
all cases of interest. 

Interestingly, by somewhat extending the notion of SIF, we can give a more uniform 
definition of DGNI, as well as proving closure under conjunction. The idea is to allow a 
SIF to associate to all pairs of traces not necessarily a single trace, but a set of traces. 

Definition 4.5: A generalized SIF is a partial function from E* x E* to 2^*. | 

Clearly if we restrict to functions whose values are singletons, then we get SIFs as 
defined earlier. Thus, Theorems 4.1 and 4.4 continue to hold in the extended framework. 
But it is easy to see that the set of security properties representable by generalized SIFs 
is closed under conjunction. 

Proposition 4.6: The security properties S* -representable by generalized SIFs is closed 
under conjunction and disjunction. 

Proof: Suppose that Si is <S*-representable by Fi, and «S2 is «S*-representable by F2, 

where Fi and F2 sets of generalized SIFs. For each f E Fi and g G ^2, define [/, g]{cri, (T2) 
to be undefined if either /(o"i,o"2) or g{ai,a2) is undefined, and /(o'i,(T2) U g{ai,a2) 
otherwise. Let F = {[f,g] : / e Fi, g( e JF2}. It is easy to show that if E e (Si fl ^2, then 
E is closed under F. Suppose now that E is closed under F. Then for all ai,a2 G E, 
there is some function [f,g] G F such that [/, g'](cri, (T2) G E. That means that f {01,02) 
and g{(Ti, 02) are both defined, and since their union is in E, each of then is a subset of 
E. So E is closed under Fi and F2; that is, E G iSi fl ^2. Thus, we have closure under 
conjunction. The argument for closure under disjunction is identical to that for SIFs. | 

Corollary 4.7: DGNI is S* -representable by generalized SIFs. 

5 Related Approaches 

Zakinthinos and Lee [1997] (ZL from now on) also consider the question of expressing 
security properties, although their approach is slightly different from McLean's. They 
work in an asynchronous setting. However, many of their results also hold or have obvious 
analogues in McLean's synchronous setting (and ours hold in the asynchronous setting). 
The issue of synchrony vs. asynchrony is orthogonal to the issues we are discussing here. 

Among other things, ZL also point out that McLean's approach is insufficiently ex- 
pressive. In particular, they focus on a property they call PSP (for Perfect Security 
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Property) which they claim is not expressible using SIFs.^ They also introduce a general 
notion of security property that has some of the flavor of McLean's notion of "repre- 
scntable by SIFs", in that it is defined by a closure condition. As in our approach, a 
security property for ZL is a predicate on sets of systems. However, for ZL, it is not an 
arbitrary predicate; it must satisfy an additional constraint. 

Definition 5.1: A predicate S on 2^* is a ZL-security property (on S*) if there exists a 
predicate Q on 2^* such that, for all ECS*, 5(S) holds iff for all a G S : Q{LLES{a, S)) 
holds, where LLES{a, E) = {r|r e E A t\l — o-\l} is the set of traces with the same 
low view as (T. I 

That is, if a set E of traces is in S, then for each trace in E, Q must hold for the set of all 
traces in E with the same low view as a. Conversely, if for each cr e E, Q holds for the 
set of all traces in E with the same low view as a, then E satisfies the security property. 

It is not clear why this is a reasonable definition of "security property". There is 
certainly no independent motivation for it. The following proposition gives at least one 
argument against it. 

Proposition 5.2: The set of ZL-security properties is not closed under disjunction. 

Proof: Let E* consist of two traces, co and ai, where the L's input and output are 
always in cxo and always 1 in cxi. Thus, LLES{ai,T,*) = {ai}, for i = 0,1. Clearly 
«5o = {ctq} and »Si — {cxi} are both ZL-security properties (for Sq we take Q to hold on 
{(To}, while for Si we take Q to hold on {(7i}.) However, Si U ^2 is not a ZL-security 
property. For suppose it is; let Q be the corresponding security predicate. Then both 
QiWo}) QiWi}) must hold. But then E* would also satisfy Si U ^2, which it does 
not. I 

On the other hand, Zakinthinos and Lee do show that a number of natural security 
properties are ZL-security properties, including SEP and GNI. A simple analysis shows 
that NOS is also a ZL-security property. 

Proposition 5.3: NOS is a ZL-security property. 

Proof: It is easy to see that the definition of NOS is equivalent to the following definition: 

NOS{E) = Wa eJ^yH eUBr eJ^Hf] LLES{a, E). 
Let Q(A) =yH en. ACi^H 7^ 0. Thus, NOS(T,) = Va e E. Q(LLES(a,T,)). | 

We now show that ZL-security properties are closed under conjunction. Since GNI is 
a ZL-security property, it follows that DGNI is too. 

proof of the result is sketched by Zakinthinos [1996]. While we believe the claim, we suspect that 
a careful formal proof will be much longer and more involved, in light of the difficulty of our own proofs 
of Theorems 3.1 and 3.2. 
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Theorem 5.4: The set of ZL-security properties is closed under conjunction. 

Proof: Suppose S and S' are two security properties with Q and Q' their corresponding 
security predicates. Then S A S' he the property 

VE V(7 e E (Q A Q'){LLES{a, E)). 

It follows that S AS' is a security property with corresponding security predicate Q AQ'. 
I 

As we said, ZL focus on a security property they call PSP. To explain PSP, we must 
first review the asynchronous systems considered by ZL. For them (and also, for example, 
for Mantel [2000]), a system is a tuple {E, 7, O, E), where E is a, set of events, partitioned 
into two sets: L and H (low events and high events), and E is a set of traces, each of 
which is a finite sequence of events in E.^ Given a trace a, let an denote the subsequence 
of a consisting of the high events and let cxx, denote the subsequence consisting of low 
events. It is quite straightforward to reformulate notions like SEP, GNI, DGNI, and NOS 
in this framework; we omit the details here. 

The definition of PSP given by ZL is somewhat comphcated. Mantel [2000] reformu- 
lates it in a more comprehensible way. 

Definition 5.5: A system S satisfies PSP if and only if for all cr e E, ctl G S and for 
all sequences of events a,P E E* and all events e E E, ii e E H , Pa e T,, {/3a) ^ = gl, 
an — {)■! and (5e e E, then it must be the case that (5ea e E. | 

ZL show that PSP is a ZL-security property. We show that it is also representable 
by SIFs. 

Proposition 5.6: PSP is representable by SIFs. 

Proof: Let F consist of the single SIF /, where /(cri,(72) = I3ea if there exist a high 

event e E H and sequences of events a and (3 such that an = '^i = Pci-, and (T2 = /^e; 
otherwise /(ci, (T2) = (o'i)l- Notice that / is well defined since a, and e, if they exist, 
are uniquely determined by o"i and (T2- Notice also that /(o"i, ai) = {(Ji)l- 

Suppose that S satisfies PSP. Let cxi and cr2 be two arbitrarily chosen traces in S. If 
there exist a high event e and sequences of events a and (3 such that ai — Pa, an — {), 
and a2 = Pe, then {Pa)j^ = (o-i)^, and PSP ensures that Pea e E. Since /((7i, (J2) = Pea 
in this case, (T2) G S. On the other hand, if there do not exist such an e, a, and P, 
then /(o"i,(T2) = (o"i)l G S since E satisfies PSP. So E is closed under F. 

^Note that since ZL work in an asynchronous setting, their notion of "trace" is different from that 
defined in Section 2. We continue to use the term "trace" even in the asynchronous setting, and hope 
that what we mean is clear from context. 
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For the opposite implication, suppose that E is closed under F. Suppose that cr e E, 

G E* . an = {), e & H, f3a G S, (Pcy)^ = a^, and f3e G S. Since S is closed under 
F, f{o-i,a2) = Pea G S. Also f{o-i,ai) = ((Ji)/^, and so (cri)x, G E. But this is exactly 
what we needed to prove that E satisfies PSP. I 



6 Discussion 

McLean's framework has been the impetus for a number of frameworks for expressing 
security properties (e.g., [Mantel 2000; Zakinthinos and Lee 1997]), all based on defining 
security properties in terms of closure conditions. The question still remains as to what 
makes a framework "good" or better than another. Certainly one criterion is that an 
approach be "natural" and make it easy to express security properties. Yet another is 
that it be expressive, so that it can capture all natural security properties. 

We have examined McLean's SIF framework with regard to expressiveness. Our 
results show that, as McLean presented it (considering only types), the framework is 
insufficiently expressive to serve as a basis for expressing security properties. The fact that 
the properties expressible are not closed under conjunction or disjunction, and natural 
properties such as NOS and DGNI are not expressible, should suffice to make that clear. 
On the other hand, as we have shown, natural extensions of the SIF framework are 
quite expressive. In the process we have shown that Zakinthinos and Lee's approach also 
has some problems of expressibility; the set of security properties expressible in their 
framework is not closed under disjunction. 

The question still remains, of course, whether defining security properties in terms 
of closure conditions is the way to go. Mantel [2000] has perhaps the best-developed 
approach along these lines. He tries to provide a framework which "provides the expres- 
siveness of Zakinthinos and Lee's framework with the elegance of McLean's" . Certainly 
his "toolkit" approach to defining security properties seems promising. Nevertheless, it is 
far from clear to us that basing a framework on closure conditions is ultimately the right 
approach. It would be interesting to compare the expressive power and ease of use of 
these approaches to other approaches, such as process algebra (see, for example, [Focardi 
and Corrieri 2001; Ryan and Schneider 1999; Ryan, Schneider, Coldsmith, Lowe, and 
Roscoe 2001]) or a knowledge-based approach (see, for example, [?; Halpern and O'Neill 
2002]). 

A Appendix: Proofs 

In this appendix, we prove Theorems 3.1, 3.2, and 3.5. We restate the theorems for the 
readers' convenience. 

Theorem 3.1: NOS is not S-h* -representable by a type. 
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Proof: We want to prove that there is no type T such that for all systems E, E e 7Y* 

satisfies NOS iff E is closed under T. As we observed, there are only 81 possible types. 
We proceed by a sequence of lemmas to eliminate each of these possibilities. The first of 
these was already proved by McLean. 

Lemma A.l: [McLean 1994, Theorem 2.4] Let T' be the result of replacing 1 by 2 and 
2 by 1 in T. (So, for example, if T is T(^(i:o),{2:i))) then T' is T(^{2:o),{i:2)))- Then a system 
E is closed under TiffT^is closed under T'. 

It is immediate from Lemma A.l that if there is a type T that represents NOS, then 
we can assume without loss of generality that in^ ^ 2. 

The following lemma is straightforward, and is left to the reader. 
Lemma A. 2: All systems are closed under the following types: T'((o:o),(0:0)>7 7'((0:0),(0:i)); 

7'((0:0),(l:0)>, 7'((0:1),(0:0)>, 7^((1:0),(0:0)> , 7'((0:0),(1:1)> , 7'((0:1),(0:1)) ; 7'((1:0),(0:1)> ; %:0),(1:0)> , ^i^.^iO)) ; 
^((1:1),(0:0)>; ^((1:1),(1:0)> ; ^((1:1), (0:1)) ; ^((1:0), (1:1)) ; 2^((0:1),(1:1)) ; and T(^(^i:i) (and thcir CQUiv- 

alent forms, as given by Lemma A.l). 

Of course, it is immediate that if 5 is a nontrivial security property (i.e., S ^ S*) 
then none of the types listed in Lemma A. 2 can represent S (so, in particular, none of 
them can represent NOS). 

Consider now the system Ejvos of Example 2.7 and recall that Ejvos satisfies NOS. 

Lemma A. 3: IfT — T^(inH ■.in^),{out" -.out^)) S-h* -represents NOS, then in^ — 0. 

Proof: Suppose, by way of contradiction, that T = T(^(^in« ■.ini^),{outH -outi^)) (^^^^ 7^ 0) Sy,*- 
represents NOS. Based on Lemma A.l, with no loss of generality we can consider in^ = 1. 
Since T^nos satisfies NOS, it means that it is closed under T — T(^(i:inL),(out":outi^))- H 
least one of m^, out^, out^ is 2, then the interleaving of a and r results in a trace that, 
after the second step, has both zeros and ones, and so it is not in T^^os- So in^, out^ , out^ 
are either or 1; but then, by Lemma A. 2, all systems are closed under T. This can't be 
true since NOS is not trivial. I 

Lemma A. 4: IfT = T(jQ.inL^^(^out":out^)) Sw -represents NOS, then in^ = 0. 
Proof: Suppose, by way of contradiction, that T = T'^(o:m^),(o«t^:oiit^)) 

with in^ ^ 

5-^* -represents NOS. Based on Lemma A.l, with no loss of generality we can consider 
in^ = 1. Ejvo5 satisfies NOS, so it is closed under T = Ti;(o:i),(out«:oMti))- If ^'^ least one of 
out^ and out^ is 2, then the interleaving of a and r contains both and 1 after the second 
step, and so it is not in Ejvo5- Then out^ and out^ are both or 1; by Lemma A. 2, all 
systems are closed under T, which contradicts the fact that NOS is not trivial. I 

Following the same pattern, we can prove 
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Lemma A. 5: IfT — T^(o:0),{out" -.out^)} S-^* -represents NOS, then out^ — 0. 

From Lemmas A. 3, A. 4 and A. 5 it follows that T = T^(o:o),(0:out^))) but then by 
Lemma A. 2 and since NOS is not trivial, T cannot »S-«* -represent NOS. | 

Theorem 3.2: DGNI is not S* -representable by a type. 

Proof: Suppose, by way of contradiction, that there is a type T — T(^(inH ■.ini^),{out" -.outi^)) 
that »S*-represents DGNL The following two lemmas establish a contradiction: 

Lemma A.6: IfT — T'^(in^:m^),(owt^:out^)) <S* -represents DGNI, then at least one of 
in^ , in^ , out^ , out^ is 0. 

Proof: Recall T^dgni of Example 2.5 with 15 traces of the form (aji, 0:2, 0:3, 0:4)'^, Xi, 
X2, X2, and 2:4 or 1, with the exception of (1,0, 1,0)'^. T^dgni satisfies DGNL If T = 
T'{(infi ■.in^),{out" -.out^)) »5*-represents DGNI, then T^dgni is closed under T. 

Suppose, by way of contradiction, that none of in^ , in'", out^ and out^ is 0. By 
Lemma A.l, we can assume with no loss of generality that in^ = 1. If all zn^, out^ and 
out^ are 1, then by Lemma A. 2, all systems are closed under T, which contradicts the fact 
that NOS is not trivial. So at least one of in^, out^ and out^ is 2. Take r = (0, 0, 1, 0)'^; 
T e T,DGNi- Take a — {l,x,y,z)'^ obtained from (1,0,1,0)'^ in the following way: if 
in^ — 1 take x — 0, otherwise take x = 1; if out^ — 1 then take y = I, otherwise y — 0; 
if out^ = 1 take z = 0, otherwise z = 1. Since at least one of in^, out^ and out^ is 2, 
a G TiDGNi- But an interleaving of type T of o" and r results into (1,0, 1,0)^, which is 
not in T,DGNi- This contradicts the fact that T^dgni is closed under T. | 

Lemma A. 7: IfT = T(^(inH ■.ini^),{out^ -.out^)) S* -represents DGNI, then none ofin^, in^, out^ , out^ 
is 0. 

Proof: Consider the system T^notGNi with 8 traces of the form {xi,Xi,X2, Xs)'^, Xi,X2, x-^ G 
{0, 1}. T^notGNi does not satisfy GNl, since an interleaving of type T(^(i:2),{0:2)) of traces 
(Ti = (0, 0, 0, 0)"^ and ct2 = (1, 1, 1, 1)"^, both in T,notGNi, has the form (0, 1, x, 1)"^, which 
is not in T^notGNi- It follows that T^notGNi does not satisfy DGNI, too. '^notGNi is closed 
under all types T — T'^(i„ff:i„i),(outff:out^)) with in^ = or in^ = 0; it follows that if 
T = T(^(inH :inL)^(out" -.out^)) 5*-represents DGNI, then in^ 7^ and in^ 7^ 0. 

Consider the system T^cNinotDGNi consisting of 8 traces of the form {xi,X2,X2,X3)'^ , 
with Xi,X2, X3 G {0, 1}. T^GNinotDGNi Satisfies GNI, since an interleaving of type T^(i;2),(o;2)) 
of two traces (xi, 2:2, 2:2, 0:3 and (2/1,2/2,2/2,2/3)'^ has the form (xi, 2/2, a;, 2/3)"^, and for 
X — y2 this is a trace in T^GNinotDGNi- But T^GNinotoGNi does not satisfy reverse GNI, 
and for this reason DGNI too, since an interleaving of type T((i:2),(i:o)) of traces (0, 0, 0, 0)'^ 
and (1, 1, 1, 1)"^ has the form (0, 1,0, a;)"^, which is not in T^cNinotDGNi- ^gniuoWGNI is 
closed under all types T = T(^(inH ■.ini^),{out" -.out^)} with in^ = or out^ = 0. It means that, 
if T = T(^(inH ■.in^),{out» -.out^)) '5*-represents DGNI, then in^ ^ and out^ ^ 0. 
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Finally, take T^'notcNi to be the system with 8 traces of the form (xi, 0:2, X3, Xi)'^, 
Xi,X2,a^3 G {0, 1}; Ti'notGNi does not satisfy GNI, and for this reason DGNI either, since 
an interleaving of type T|;(i.2),(o:2)> of (0,0,0,0)"^ and (1, 1, 1, 1)"^, both in T^'notGNi, has 
the form (0, l,x, 1)"^, which is not in T,'notGNi- ^'notGNi is closed under all types T = 

T{{inH:inL),(outH:outi^)) with in" = Or OUt^ = 0. It follows that, if r = Ti^{inH:ini^),{outti:outi^)) 

5*-represents DGNI, then in" ^ and out^ 0. | 

Theorem 3.5: The set oj security 'properties representable by types is not closed under 
disjunction. 

Proof: The proof is a corollary of the following proposition: 

Proposition A. 8: Let S be the security property represented by T^(i;2),(2;2)>7 and S' 
the security property resulting from the disjunction of SEP and S. Then S' is not S*- 
representable by types. 

Proof: Suppose, by way of contradiction, that there is some type T = Tij^^^" ■.in^),{out" -.out^)) 
that represents <S'. Then a system is closed under T((i:2),(i:2)) (the type corresponding to 
SEP) or T((i.2),(2:2)) if and only if it is closed under T. Let Tisep be the system consisting 
of the 8 traces of the form (xi, a;2, 2:3, 2:2)'^, with Xi, and X3 G {0,1}. Thus, in all 
traces of T^sep, the low output is the same as the low input and independent of the high 
view. So TisEP satisfies SEP. 

It is easy to see that both T^cNinotDGNi and T^sep are in S', since T^GNinotDGNi 
is closed under T((i.2),(2:2)) and T^sep satisfies SEP. It is also easy to see that neither 
^notGNi nor Ti'notGNi is in S' . TiSEP satisfies SEP. since neither system satisfies SEP 
and neither is closed under T'((i:2),(2:2))- From Lemma A.l, it follows that there is a type 
T{{inH:inL)^(^outH:outL)) that 5*-represents S' if and only if there is a type T((j„,H,j„,z,)^(o„t,H,o„i,i)) 
with in'" 7^ 2 that 5*-represents S' . Thus, it suffices to show that there is no type that 
represents S' that has in" being or 1. The following two lemmas show that neither 
case can happen. 

Lemma A. 9: There is no type T = T'^(o:m^),(out«:out^)> that S* -represents S' . 

Proof: Suppose, by of contradiction, that T — T((o:mi),(oMt«:ow<i)> »5*-represents S' . All 

systems are closed under T^(o:o),(oMt«:oMt^)) 

for {out",out^) ^ {(1,2), (2,1)} and under 
T{{o:2),{0:outL) for out^ G {0,2}. Since S' is not trivial, we can rule out all these types. By 
LemmaA.l, type T = T^(o:o),(i:2)> is equivalent to T((o:o),(2:i))) and T^notGNi is closed under 
T, although it is not in S'] similarly, T^GNinoWGNi is not closed under T, but is not in 
S'. I 

Lemma A. 10: There is no type T — T'^(i:m^),(owt«:out^)) 'that S* -represents S' . 
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Proof: Again, suppose by way of contradiction that there is some type T — T'^(i:in^),(out»:out^)) 
that iS*-represents S' . If in'" G {0, 1}, then ^notGNi is closed under T, but it is not in 
S'. T^'notGNi is closed under T((i:2),(o«t»:i)>, 7'((i:2),(2:0)> and T((i,2),(0:0)), but is not in 5', 
so we can rule out these types too. T cannot be any of the types T'^(i:2),(i;out^)) since 
^GNinotDGNi £ S' and is not closed under them; similarly, T ^ T(^{i:2),{2:2)} since TisEP is 
not closed under it, while it is in cS'. 

We are left with the type T'^(i:2),(o:2)> that represents GNI. Consider the system S 
with 8 traces of the form (0, Xi, Xi, 0:2)'^ and 8 traces of the form (1, Xi, 1 — Xi, a;2)'^, 
Xi,X2 G {0, 1}. E satisfies GNI, since any low view is compatible with any high input 
sequence. Thus, E is closed under the type T((i.2),(o:2))- However, E is not separable and 
it is not in S, hence S ^ S'. Thus, T((i:2),(o:2)) does not »S*-represent S'. I 
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